Process and device for authenticating subscribers to digital exchanges

ABSTRACT

A device for authenticating subscribers to one or more exchanges of a digital communication network having at least one subscriber-side network terminator, to which at least one data terminal may be connected. It is a distinction of the invention that provision is made at every subscriber for at least one first authentication module capable of receiving a first identification carrier, and provision is made in the exchange for at least one second authentication module capable of receiving a second identification carrier, or that, alternatively, connected between the network terminators assigned to the exchange and the exchange is an additional device, in which is arranged a second authentication module capable of receiving a second identification carrier, the authentication modules being capable of encoding and/or decoding a piece of information with an individual, subscriber-specific key and of exchanging information with each other for unilateral and/or bilateral authentication.

FIELD OF THE INVENTION

The present invention concerns a process for authenticating subscribersto one or more exchanges of a digital communication network, inparticular an ISDN network, as well as a device for authenticatingsubscribers.

RELATED TECHNOLOGY

Digital telecommunication networks are known that feature a plurality ofsubscriber connections and digital exchanges. Since a subscriberconnection is linked to a digital exchange via unsecured lines,intruders or eavesdroppers can tap into the lines at different points.An intruder, once having gained access to the exchange system, can usethe exchange at the expense of the subscriber, even without beingauthorized to do so.

In the article “SECURE CCM,” published in TELESIS, vol. 16, No. 2, Jan.1, 1989, pp. 42 through 50, XP000072004, Diffie et al. disclose, amongother things, an authentication method, according to which the receiverof information can ascertain the authenticity of the sender's identity.However, the known method is based on the technically very complex andtherefore also costly Rivest, Shamir & Adleman (RSA) algorithm. Also thearticle gives no indication on performing the verification of thesender's identity in a cost-effective manner in the sender's exchange.

In the article “ENCRYPTION AND ISDN—A NATURAL FIT,” published inInternational Switching Symposium 1987, Mar. 15-20, 1987, Phoenix,Ariz., U.S. pp. 863 through 869, XP002017713, O'Higgins et al. describea method for encoded transmission of a plain text produced by a senderto a receiver via an ISDN network. In order to exchange plain textbetween the two subscribers in a secure manner, O'Higgins et al. proposethat either a security module be implemented in each data terminalinstalled at the subscriber or that a security module be implementedonly in the network terminator to which the data terminals areconnected.

In the article “INTEGRATING CRYPTOGRAPHY IN ISDN,” published in Advancesof Cryptology, Santa Barbara, Aug. 16-20, 1987, Conf. No. 7, Jan. 1,1987, Pomerance C., pp. 9-18, XP000130200, K. Presttun describes anauthentication procedure on the basis of public-key cryptography. Thisprocedure uses a central authentication server, which contains thepublic keys of all users. Again, authentication takes place between thecommunicating subscribers themselves. One disadvantage of this knownauthentication procedure is that a central authentication server must bemade available and also full connection must be established prior to theauthentication procedure proper, which not only entails expenses, but isalso technically complex.

Therefore, the object of the invention is to make misuse of the exchangeby unauthorized intruders difficult or even impossible.

The present invention is implemented in a digital communication network,in particular an ISDN network. Such a digital communication networkincludes, as is known, a plurality of exchanges, at least one networktermination installed at the subscriber, to which at least one dataterminal, such as telephone sets, personal computers, or fax machines,can be connected. Undesired use of an exchange by an intruder isprevented by providing at least one first authentication module to eachsubscriber; said authentication module is capable of receiving anidentification carrier; in addition, at least one second authenticationmodule capable of receiving a second identification carrier is providedin the exchange, with both authentication modules being capable ofencoding and/or decoding and exchanging information with each other,with a subscriber-specific cryptographic key for unilateral or bilateralauthentication.

Connection-specific assemblies containing the second authenticationmodule are installed at each exchange. This embodiment is, however,expensive and complex, since the exchanges must be rebuilt.

A more cost-effective method, which can be implemented in a simplermanner, consists of installing additional assemblies, based on theexisting digital exchange, between the exchange and the respectivenetwork terminations. The respective second authentication module foreach subscriber connection is installed in these additional assemblies.

The first authentication module of a given connection owner isadvantageously arranged in the network termination corresponding to eachsubscriber connection. In this case a single authentication module issufficient even if the owner has connected up to eight data terminals tothe network termination via an S₀ bus. It is perfectly possible to equipeach data terminal of a given network termination with its ownauthentication module and its own identification carrier. Anotheralternative may consist of connecting a security device containing thecorresponding authentication module between each data terminal and itsnetwork termination. It can be easily seen, however, that both of thelatter implementation options are complex and costly, since each dataterminal requires both its own authentication module and aconnection-specific identification carrier. The information to beexchanged between the two authentication modules to authenticate thesubscriber connection contains the address of a certain subscriberconnection, a command sequence, which may contain, for example, therequest for the first authentication module to encode the incominginformation, and a random number. If the digital communication networkis an ISDN network, the exchange of information between the firstauthentication module and the second authentication module takes placevia the D channel of the ISDN network. Each identification carrier canthen store an individual cryptographic key that is specific to a givensubscriber connection owner. The identification carrier may be a smartcard that can be inserted by the owner of a subscriber connection in thefirst authentication module and by an employee of the network operatorin the second authentication module. An advantageous alternativeprovides a software module as the identification carrier, which can beused interchangeably in the respective authentication module. In anadvantageous refinement, the first authentication module can encodeadditional confidential connection establishment and/or serviceinformation and the second authentication module, assigned to theexchange, can decode the information thus encoded.

Since the establishment of a connection and/or service informationrequires a higher bit rate than authentication information, it isconvenient that separate cryptographic modules be installed for thefirst and second authentication modules exclusively for encoding anddecoding the connection establishment and/or service information.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is explained below with reference to theembodiments illustrated in the following figures, in which:

FIG. 1 schematically shows a section of a digital communication networkwith a line from a telephone set to a digital exchange where the presentinvention is implemented,

FIG. 2 shows a second embodiment where the authentication moduleaccording to the present invention is installed in an additional deviceon the exchange side,

FIG. 3 shows a detailed block diagram of the network termination withthe authentication module according to the present invention, and

FIG. 4 shows a detailed block diagram of a connection-specific assemblyin the exchange with a built-in authentication module,

FIG. 5 shows the frame format of the ISDN bit stream.

DETAILED DESCRIPTION

FIG. 1 shows in a simplified form a part of a digital communicationnetwork, exemplified in the description that follows as an ISDN network.A telephone set 20 is illustrated as a data terminal on the subscriberside, which is connected to a network termination 10 via an S₀ bus 25.Network termination 10, also referred to as Net Terminator (NT), can beinstalled in the building or room of a subscriber connection owner. Upto eight data terminals, such as other telephone sets 20, fax machines,or personal computers, can be connected to the S₀ bus 25. In the exampleillustrated, an authentication module 40 according to this invention isbuilt into network terminator 10, where an identification carrier 50 canbe inserted. Identification carrier 50 can be a smart card or a softwaremodule. Authentication module 40 and identification carrier 50 aredesigned so that they can encode or decode information to authenticate agiven subscriber with a subscriber-specific or connection-specific key.This key can be stored in a storage module of the smart card of theconnection owner. The output of network termination 10 is connected to acorresponding ISDN exchange 30 via a twisted two-wire cable in a knownmanner. Of course, an ISDN network includes a plurality of networkterminators 10 and a plurality of exchange systems 30, which may beinterconnected via twisted two-wire cables. In the future, conventionaltwo-wire cables can be supplemented and replaced by fiber-optic cables,for example. Exchange 30 includes a plurality of assemblies 80 (FIG. 1only illustrates a single connection-specific assembly 80), assigned tocertain subscriber connection owners. According to the first embodimentaccording to this invention, an authentication module 60 is arranged ineach connection-specific assembly 80, where a subscriber's smart card ora connection-specific software module 70 is inserted by an operator ifneeded. It is assumed that identification carrier 70 in exchange 30 alsocontains the individual cryptographic key of the connection owner fortelephone set 20. The precise sequence for authenticating the subscriberof telephone set 20 to exchange 30 is explained in more detail below.

FIG. 2 shows an alternative embodiment where additional device 110 isconnected between network termination 10 and exchange 30. For greaterclarity, FIG. 2 shows additional device 110 only with the built-inauthentication module 60. Normally all authentication modules ofsubscribers or network terminators jointly served by exchange 30 areinstalled in additional device 110. The corresponding connecting linesare indicated in FIGS. 1 and 2. The corresponding lines NT1 to networkterminator 10, line NT2 to a 2^(nd) subscriber or network terminator,line NT3 to a 3^(rd) subscriber or network terminator, and line Nth toan nth subscriber or network terminator. Again, identification carriers70 can be inserted as smart cards from the outside by an operator or, inthe implementation as a software module, can be introduced in therespective authentication module 60. Additional device 100 has theadvantage that existing ISDN network exchanges can continue to be usedwithout time-consuming, costly, and complex modifications of theexchange system to perform authentication, for example, of thesubscriber of telephone set 20 to exchange 30.

FIG. 3 shows a simplified block diagram of the known network terminator10, where the authentication module 40 according to this invention,together with identification carrier 50, are installed. On thesubscriber side, network terminator 10 has a connection unit for S₀ bus25, to which up to eight data terminals 20 can be connected. Since thestructure and the mode of operation of network terminator 10 aregenerally known, only the essential assemblies are briefly explainedbelow. Basically network terminator 10 has a send path and a receivepath. The send path includes an encoder 210, which modulates theoutgoing data stream according to known encoding procedures, amultiplexer 200, which combines the two B channels and the D channelinto a continuous data stream in a time multiplexing operation. Asuitable frame format consists of 48 bits per 250 ms, with only four Dchannel bits provided per frame. In other words, 16 kbits/sec aretransmitted over the D channel. As explained below, a subscriber isauthenticated to exchange 30 via this D channel. The send path then goesto a hook switch 170 via a transmitter 180; said hook switch sends theoutgoing data stream to a two-wire cable connecting exchange 30 withnetwork terminator 10. Incoming data streams go through hook switch 170,a receiver 160, and a device 150, which equalizes and amplifies the datastream received and recovers the clock signal from it. Then the datastream passes through a demultiplexer 140, which decomposes the datastream again to the two B channels and the D channel. The demultiplexeddata stream passes through decoder 130 and is then transmitted,according to a destination address, to telephone set 20, for example,via the S₀ bus 25. An echo compensation 190, connected in parallelbetween transmitter 180 and receiver 160, is used, among other things,for compensating outgoing messages sent to the receive path through hookswitch 170 and receiver 160. The heart of network terminator 10 is acontroller 220, which controls the management and mutual control of theindividual assemblies. The authentication module 40 according to thisinvention with the inserted identification carrier 50 is connected, forexample, to controller 220, encoder 210, multiplexer 200, demultiplexer140, and decoder 130. Controller 220 is also responsible for activatingor deactivating the authentication device, i.e., authentication module40 and identification carrier 50 as required by the situation.

FIG. 4 shows an example of a block diagram of a subscriber-specificassembly 80, installed in exchange 30. The connection-specific assembly80 basically forms the counterpart of network terminator 10. Incomingdata messages go, via the two-wire line, to a hook switch 230 and thenpass through a demultiplexer 240, a decoder 250, and a D channel handler260. D channel handler 260 supplies control information to a centralcontroller of exchange 30. In the opposite direction, outgoing messagespass through an encoder 270, a multiplexer 290, and a hook switch 230 onthe two-wire line to network terminator 10. Also in connection-specificassembly 80, a controller 280 is responsible for the management of andinteraction between the individual assemblies. Authentication module 60is installed in a connection-specific assembly 80, according to thisinvention, with a smart card that can be inserted from the outside, or asoftware module 70 that can be introduced. Authentication device 60, 70,which includes authentication module 60 and identification carrier 70,is connected to encoder 270, decoder 250, D channel handler 260, andcontroller 280. As mentioned previously, authentication device 60, 70can also be installed in supplemental device 110, as shown in FIG. 2.

It is, in fact, convenient to install authentication device 40, 50(authentication module 40 and identification carrier 50) in networkterminator 10 itself, since in this way only one authentication device40, 50 is required, regardless of the number of data terminals 20connected. However, it is also conceivable to arrange thesubscriber-side authentication device 40, 50 in each data terminal 20.Another alternative consists of providing a security device (notillustrated) between network terminator 10 and each connected dataterminal 20; authentication device 40, 50 is then implemented in saidsecurity device. The latter two options, however, entail a considerabledisadvantage in that for each data terminal 20 that a subscriber wishesto connect to the respective network terminator 10, he must purchase aseparate authentication device 40, 50. For economic reasons, it isconvenient to install authentication devices 40, 50 shown in FIG. 1, innetwork terminator 10 itself. Then identification carrier 50 can beinstalled in the form of a software module by the network operator whennetwork terminator 10 is installed at the subscriber. If identificationcarrier 50 is a smart card, the subscriber can purchase this card,containing the subscriber's individual subscriber key, e.g., from thenetwork operator.

The authentication of the subscriber of telephone set 20 to exchange 30is now described in detail.

It is assumed that one subscriber-side authentication device 40, 50 isinstalled in network terminator 10 and a second authentication device60, 70 is installed in assembly 80, assigned to that subscriber inexchange 30. According to the embodiment illustrated in FIG. 2,authentication device 60, 70 can also be installed in supplementarydevice 110. The procedures described below occur basically in the sameway in both cases.

Let us assume a case where the subscriber lifts the earpiece of histelephone set 20 to announce his wish to establish a connection.Telephone set 20 sends a connection establishment message to exchange 30via network terminator 10. Responding to the connection establishmentmessage, exchange 30 sends a connection establishment confirmationmessage back to network terminator 10. In addition, authenticationinformation is transmitted from exchange 30 to network terminator 10.This authentication information may contain address data of thesubscriber and of telephone set 20, command data and information data.Command data include, for example, for authentication device 40, 50 innetwork terminator 10, the request “send back received informationencoded.” The information used for authentication may be an at least8-byte long random number, for example, including any amount of fillerinformation. Controller 220 reads the authentication informationreceived, in particular the command data, and causes authenticationdevice 40, 50, to encode the information transmitted with the addressand command data with a subscriber- or connection-specific key and sendit back to identification carrier 70 of exchange 30 via multiplexer 200,transmitter 81, hook switch 170, and the two-wire line. As mentionedearlier, the information used for authentication is transmitted in the Dchannel, filtered out from the data received with the help ofdemultiplexer 140 and sent to identification carrier 50. The encodedinformation arrives at authentication module 60 in thesubscriber-specific assembly 80 of exchange 30. Controller 280 activatesauthentication device 60, 70 to decode the encoded information with thesubscriber-specific key, which corresponds to the key on identificationcarrier 50 of network terminator 10. Controller 280 or authenticationdevice 60, 70 checks the encoded information with the information sentpreviously. If the two pieces of information agree, D channel handler260 is activated via controller 280 and sends a control message to thecentral unit of exchange 30 to inform it that the subscriber wishing toestablish a connection is authorized to do so. Then exchange 30 causesthe subscriber's network terminator 10 to transmit connectionestablishment and service information.

An advantageous refinement provides for the connection establishment andservice information to be also transmitted in an encoded form toexchange 30, for example, in the D channel. The subscriber's connectionestablishment and service information is encoded either by theauthentication device 40, 50 itself or by an additional security deviceconsisting of a security module and an identification carrier (notillustrated). Authentication device 60, 70 or a separate security deviceconsisting of a security module and a subscriber-specific identificationcarrier in the exchange or in the additional device is responsible fordecoding the encoded connection establishment and/or serviceinformation. Thanks to the combination of these two procedures, thedanger of unauthorized intruders being able to tap into the connectingline between network terminator 10 and exchange 30 and eavesdrop onsubscriber-confidential messages in order to use the exchange at thesubscriber's expense in an unauthorized manner is considerably reducedif not completely eliminated.

Another authentication process has the subscriber authenticated toexchange 30 prior to the start of connection establishment. Thesubscriber picks up the earpiece of his telephone set 20, whereuponnetwork terminator 10 transmits a connection establishment message toexchange 30. Instead of sending back a connection establishmentconfirmation message, exchange 30 or supplementary device 110 causes anunencoded message, consisting of the target address of a certainsubscriber connection, a command sequence, and the information to beencoded, to be transmitted. In response to the command sequence,controller 220 in network terminator 10 activates authentication device40, 50, which then encodes the information transmitted in the D channelwith the subscriber-specific cryptographic key and, as described above,sends it back to authentication module 60 in exchange 30. Controller 280of exchange 30 activates authentication device 60, 70, to decode theencoded information with the subscriber-specific key known to saidauthentication device. If the unencoded transmitted information agreeswith the decoded information, the central unit of exchange 30 obtains,via D channel handler 260, the information that the subscriber wishingto establish a connection is authorized to do so, and causes theexchange to send a connection establishment confirmation message tonetwork terminator 10. The subscriber is now authenticated to theexchange and can transmit the connection establishment and serviceinformation to the exchange.

According to another process, authentication device 60, 70 onconnection-specific assembly 80 of exchange 30 sends, in predefined,settable intervals, information, including an address and a commandsequence, to network terminator 10. Controller 220 of network terminator10 interprets the command sequence. After interpretation, the controlleractivates authentication device 40, 50 to supplement, encode with theindividual subscriber-specific key, and send back, to authenticationmodule 60 in exchange 30, if necessary, the information incoming via theD channel. Controller 280 in subscriber-specific assembly 80 nowactivates authentication module 60 to decode the encoded informationreceived with the subscriber-specific key that is known to saidauthentication module. If authentication device 60, 70 or controller 280determines that the pieces of information to be compared do not coincideand thus the identity check is negative, it sends a message to thecentral unit of exchange 30, via the D channel handler 260, not toinitiate any connection establishment. The above-described procedure canalso be used to check the authorization of a subscriber during ongoingcommunication. If an unauthorized intruder has tapped onto the linebetween network terminator 10 and exchange 30, authentication device 60,70 will determine, after the predefined, settable interval, at thelatest, that an intruder has tapped onto the connection. Exchange 30then causes the connection to be terminated.

What is claimed is:
 1. A system for authenticating a subscriber to anexchange of a digital communication network, the digital communicationnetwork including a subscriber-side network terminator for connecting adata terminal, the system comprising: an authentication module arrangedat the subscriber for receiving a first identification carriercontaining a subscriber-specific cryptographic key, the authenticationmodule including: means for encoding information by using thesubscriber-specific cryptographic key to provide encoded information,and means for transmitting the encoded information; and anotherauthentication module, arranged at one of the exchange and a locationupstream from the exchange, for receiving another identification carriercontaining the subscriber-specific cryptographic key, including: meansfor decoding the encoded information by using the subscriber-specificcryptographic key to authenticate the subscriber to the exchange.
 2. Thesystem as recited in claim 1, further comprising: means for establishinga connection between the network terminator and the exchange after thefunctions of encoding, transmitting encoded information, and decodinghave been performed; and means for causing the exchange to request atleast one of establishment information and service information if thesubscriber has been authenticated.
 3. A method for authenticatingsubscribers to at least one exchange of a digital communication network,the digital communication network including at least one subscriber-sidenetwork terminator for connecting at least one data terminal, at leastone authentication module arranged at a subscriber for receiving a firstidentification carrier containing a subscriber-specific cryptographickey, and at least one second authentication module arranged at one ofthe exchange and a location immediately upstream from the exchange forreceiving a second identification carrier containing thesubscriber-specific cryptographic key, the method comprising the stepsof: transmitting information from the second authentication module tothe first authentication module, encoding the information received withthe subscriber-specific cryptographic key in the first authenticationmodule, and transmitting the encoded information back to the secondauthentication module, and decoding the encoded information in thesecond authentication module with the subscriber-specific cryptographickey to authenticate the subscriber to the exchange.
 4. The method asrecited in claim 3 further comprising the step of establishing aconnection between the network terminator and the exchange after thesteps of transmitting information, encoding, and decoding, and uponsuccessful authentication of the subscriber, causing the exchange torequest at least one of establishment and service information.
 5. Themethod as recited in claim 3 further comprising the step of establishinga connection between the network terminator and the exchange, and uponestablishing the connection the exchange performs the transmitting ofinformation step, the transmitting of information step includingtransmitting a connection establishment confirmation signal andinformation to the data terminal, and then the steps of encoding anddecoding are performed.
 6. The method as recited in claim 3 furthercomprising the step establishing a connection between the networkterminator and the exchange after authenticating the subscriber andthereafter periodically checking the authenticity of the subscriber. 7.The method as recited in claim 3 further comprising the steps of:transmitting information from the first authentication module to thesecond authentication module, encoding the information received in thesecond authentication module with the help of the subscriber-specificcryptographic key and transmission of the coded information back to thefirst authentication module, decoding the information in the firstauthentication module with the help of the subscriber-specificcryptographic key for authentication of the exchange to the subscriber.8. The method as recited in claim 3 wherein the information used toauthenticate the subscriber is transmitted over a D channel of an ISDNnetwork.
 9. A device for authentication of subscribers to at least oneexchange of a digital communication network with at least onesubscriber-side network terminator for connecting at least one dataterminal, the device comprising: at least one first authenticationmodule for receiving a first identification carrier, the firstauthentication module arranged at each subscriber; and at least onesecond authentication module for receiving a second identificationcarrier being arranged one of at and immediately upstream from theexchange, with the first and second authentication modules capable of atleast one of encoding and decoding with a subscriber-specific key and ofexchanging information for at least one of unilateral and bilateralauthentication.
 10. The device as recited in claim 9 further comprisingan additional device arranged between the network terminator and theexchange, the second authentication module being arranged in saidadditional device.
 11. The device as recited in claim 9 furthercomprising the at least one data terminal, the at least one dataterminal being connected to the network terminator and wherein the firstauthentication module is arranged in each of the at least one dataterminal.
 12. The device as recited in claim 9 further comprising the atleast one data terminal and a security device, the security devicecontaining at least the first authentication module and being locatedbetween the network terminator and each of the at least one dataterminal.
 13. The device as recited in claim 9 wherein the firstauthentication module is arranged in the network terminator.
 14. Thedevice as recited in claim 9 wherein the information to be exchangedcontains the address of a subscriber connection, a command sequence, anda random number.
 15. The device as recited in claim 9 wherein thedigital communication network is an ISDN network and the informationused for authentication to be exchanged is exchanged via a D channel ofthe ISDN network.
 16. The device as recited in claim 9 wherein the firstidentification carrier and second identification carrier are one ofsmart cards and software modules.
 17. The device as recited in claim 9wherein the first authentication module is capable of encoding at leastone of confidential connection establishment and confidential serviceinformation, and the second authentication module is capable of decodingat least one of the encoded connection establishment and the encodedservice information.
 18. The device as recited in claim 9 furthercomprising a security module for receiving an identification carrier andof at least one of encoding and decoding at least one of connectionestablishment and service information, the security module capable ofbeing installed separately for each first and second authenticationmodule.